b'\x0c                                                 AUDIT RESULTS\n\nED Activities Which Collect Personally Identifiable Information\n\nWe identified 54 ED activities which voluntarily collect personally identifiable information\nthrough the Internet. The information collected generally includes names, mailing addresses,\nemail addresses, and phone numbers. Attachment 1 provides a list of the activities identified.\n\nUse of Agreements with Third Parties\n\nED officials informed us that ED does not have agreements with third parties for the purpose of\ncollecting personally identifiable information as stated in Title VI, Section 646 of the Act.\nDuring our limited testing of ED Internet sites and Web pages, nothing came to our attention to\nindicate that such agreements exist.\n\nFindings on ED\'s Management of Internet Activities\n\nDuring our audit, we reviewed 64 ED Internet servers, 111 Internet sites, and 4,056 Web pages\nthat were on-line as of January 26, 2001. We analyzed ED\'s use of cookies on its Internet\nservers. A "cookie1" is information that a Web site puts on the user\'s computer so that it can\ntrack information about that user. There are two types of cookies:\n\n\xe2\x80\xa2      Session Cookie: A cookie used to retain and correlate information about users during a\n       single session that expires when the user ends that browser session.\n\n\xe2\x80\xa2      Persistent Cookie: A cookie with a set expiration date that can be used to trace the activities\n       of users over time. It may store the user\'s log-in information including password and email\n       address used by the user to access an Internet site.\n\nWe designed our test to determine the existence of persistent cookies which would allow ED to\ncollect and use personally identifiable information. We also tested whether ED adequately\nposted privacy policies on sites collecting personally identifiable information and tested whether\nED used means other than cookies to collect personally identifiable information without the end\nuser\'s direct knowledge.\n\nAs a result of these tests, we identified three areas needing additional oversight. Specifically, we\nfound that ED needs to 1) strengthen controls over the use of persistent cookies, 2) ensure that\nprivacy policy notices are provided, and 3) monitor methods for collecting personally\nidentifiable information.\n\n\n\n\n1\n    Definitions for "cookie" and other Internet technology terms are provided in Attachment 2.\n\x0c                                                                                                Page 2 of 10\n\n\n\n\nFinding 1: ED Needs to Strengthen Controls Over the Use of Persistent Cookies\n\nWe found that 4 of ED\xe2\x80\x99s 64 Internet servers attached persistent cookies. In three occurrences,\nmanagement was not aware that the servers were attaching persistent cookies. In the fourth\noccurrence, management was aware of the cookie but did not know that it was a persistent\ncookie lasting 36 years. While our limited testing did not identify that these cookies were\ncollecting personally identifiable information, ED needs to ensure that controls are in place to\ndetect the use of persistent cookies.\n\nOffice of Management and Budget (OMB) Memorandum 00-13 states \xe2\x80\x9ccookies should not be\nused at Federal web sites, or by contractors when operating web sites on behalf of agencies,\nunless, in addition to clear and conspicuous notice, the following conditions are met: a\ncompelling need to gather the data on the site; appropriate and publicly disclosed privacy\nsafeguards for handling of information derived from cookies; and personal approval by the head\nof the agency.\xe2\x80\x9d The four servers we identified are:\n\n\xe2\x80\xa2   ocfo.ed.gov (also accessible as gcs.ed.gov) (Figure 1):\n    This server attached a persistent cookie with an\n    expiration date of December 30, 2010. The\n    responsible ED official was not aware that this server\n    was attaching persistent cookies and stated that any\n    information that might be stored by these cookies was\n    not being used by ED.\n\n\n\n\n                                                                Figure 1. ocfo.ed.gov persistent cookie\n\n\n\n\n\xe2\x80\xa2   easitest.ed.gov (Figure 2): This server attached a\n    persistent cookie with an expiration date of December\n    30, 2010. ED officials stated that this server was\n    obsolete and should have been taken off-line about 18\n    months ago. These officials were not aware that the\n    server was attaching persistent cookies and were\n    unaware of any information that might be stored by\n    the persistent cookies or how such information might\n    be used.\n\n\n                                                                Figure 2. easitest.ed.gov persistent\n                                                                cookie\n\n\n\n\n                                        ED-OIG/A11-B0002\n\x0c                                                                                                          Page 3 of 10\n\n\n\n\n\xe2\x80\xa2   nle2.ed.gov (Figure 3): This server attached a persistent\n    cookie with an expiration date of September 26, 2037.\n    ED officials were not aware that the server was attaching\n    persistent cookies. The site has an average of over\n    18,8002 unique visitors monthly.\n\n\n\n\n                                                                               Figure 3. nle2.ed.gov persistent cookie\n\n\n\n\n\xe2\x80\xa2   students.gov (also accessible as\n    www.students.gov)(Figure 4): This server attached a\n    persistent cookie with an expiration date of September\n    26, 2037. ED officials were aware of this cookie but\n    thought it was \xe2\x80\x9ctemporary\xe2\x80\x9d lasting only 48 hours.\n\n\n\n\n                                                                             Figure 4. students.gov persistent cookie\n\n\n\nED officials told us that they were not aware of the presence of persistent cookies in the four\nservers we identified in our testing. Accordingly, none of these servers provided "clear and\nconspicuous notice" explaining the use of the persistent cookies to the end user as required by\nOMB 00-13. Three of the four servers identified did not have a privacy policy notice or a link to\na privacy policy notice. The students.gov server had a link to a privacy policy, but it\ninappropriately described the cookie as a \xe2\x80\x9ctemporary\xe2\x80\x9d rather than a persistent cookie.\n\nIn August 2000, the ED Internet Working Group3 provided the results of its survey on the use of\ncookies. ED Principal Offices were polled in July 2000 to identify all use of \xe2\x80\x9ccookies\xe2\x80\x9d on public\naccess web sites in the ed.gov domain.4 ED officials identified 13 instances of session cookies.\nThe survey identified one persistent cookie but this use met a valid business purpose and expired\nin 24 hours. The survey report stated that, "The survey indicates that ED is using cookies\n2\n  This number represents a three month average using the total number of unique visitors to the nle2 server for the\nmonths of October, November, and December 2000.\n3\n  The Internet Working Group is composed of principal office representatives who design processes for quality\ncontrol and monitoring of ED\'s Web sites. It is chaired by the Office of the Chief Information Officer.\n4\n  The ed.gov domain represents all ED controlled Web pages. We sampled about one percent of the Web pages for\nthe domain. The persistent cookie identified by ED, ED Publications ordering, did not fall into our sample.\n\n\n                                               ED-OIG/A11-B0002\n\x0c                                                                                         Page 4 of 10\n\n\n\n\nresponsibly; no instances were discovered where cookie use was functionally unnecessary or\naccidental." Our results indicate that persistent cookies were being attached without\nmanagement knowledge or a documented need.\n\nED\'s management controls for reviewing ED Web sites and World Wide Web operations did not\nspecify that ED officials should review them for the use of persistent cookies. ED officials\nprovided us with the internal policy, procedures, and checklists that they use for ED\'s Internet\nservers, sites, and Web pages. None of these documents provided instructions for reviewing\nexisting servers regarding the use of persistent cookies.\n\nRecommendations:\n\nThe Chief Information Officer should:\n\n1.1. Determine whether the four persistent cookies identified in this report are necessary. ED\n     should remove any unnecessary cookies and ensure that any remaining cookies comply\n     with OMB 00-13.\n\n1.2. Determine how the four persistent cookies identified in this report were attached without\n     management knowledge and implement procedures to prevent future instances.\n\n1.3. Revise existing procedures to require principal office officials to review servers, sites, and\n     Web pages in advance to determine that unnecessary persistent cookies are not used.\n\n1.4. Develop and implement procedures to periodically review all servers, sites, and Web pages\n     to identify existing cookies and to determine that applicable legal and regulatory\n     requirements have been met for their use.\n\n1.5. Develop and implement procedures to remove obsolete servers, sites, and Web pages.\n\n\nFinding 2: ED Needs to Ensure Privacy Policy Notices Are Provided\n\nED officials did not consistently provide required privacy policy notices for Web pages that\ncollect personally identifiable information. We found that 32 (59%) of the 54 activities\nidentified as collecting personally identifiable information through the Internet did not have\nprivacy policy notices or links to notices. Privacy policy notices or links to these notices may\nhave been used on "Home" Web pages, but they were not always used on the pages that collect\npersonally identifiable information.\n\nOMB Memorandum 99-18, Privacy Policies on Federal Web Sites, specifies that Federal\nagencies should provide privacy policy notices at major entry points, as well as at any web page\nwhere the agencies collect substantial personal information from the public. The memorandum\nadds that "each policy must clearly and concisely inform visitors to the site what information the\n\n\n\n\n                                         ED-OIG/A11-B0002\n\x0c                                                                                         Page 5 of 10\n\n\n\n\nagency collects about individuals, why the agency collects it, and how the agency will use it.\nPrivacy policies must be clearly labeled and easily accessed when someone visits a web site."\nAdditionally, ED\'s World Wide Web Server Policy and Procedures (June 1999) specify that ED\nofficials must review Internet sites in advance to ensure that information contained and\ntransmitted via the ED-WWW Server will be secure, that all relevant Federal statutes are adhered\nto, and appropriate warnings, disclosures and/or disclaimers are openly displayed.\n\nED officials originally identified 46 activities where personally identifiable information is\ncollected through the Internet. The activities collect personally identifiable information such as\nnames, addresses, email addresses, and phone numbers. During our audit, we identified an\nadditional 8 activities. Of these 54 activities, privacy policy notices were not provided for 32\n(59%) of the activities as required by OMB and ED policies. Attachment 1 provides the 54\nactivities and identifies those that did not provide privacy policy notices.\n\nFor example, as illustrated in Figure 5, the Office of Elementary and Secondary Education\'s\nReading Excellence Program has a registration form available on-line. At the time of our\nreview, this Web page did not provide a privacy policy notice or a link to a notice. OMB\nspecifies that privacy policy notices must be clearly labeled and easily accessed.\n\n\n\n\n   Figure 5: Illustration of personally identifiable information collected through\n   ED Internet site http://www.ed.gov/offices/OESE/REA/application.html\n\n                                               ED-OIG/A11-B0002\n\x0c                                                                                       Page 6 of 10\n\n\n\n\nRecommendations:\n\nThe Chief Information Officer should:\n\n2.1. Identify all major entry points to ED\'s Internet information as well as any web pages where\n     ED collects personal information from the public. Once all of these locations are\n     identified, ED needs to create privacy policy notices or obvious links to privacy policy\n     notices as required by OMB.\n\n2.2. Develop and implement management controls designed to ensure that privacy policy\n     notices are located on needed entry points and Web pages of both existing and future sites.\n\n\nFinding 3: ED Should Monitor Methods for Collecting Personally Identifiable\n           Information.\n\nAfter completion of our testing for cookies, we performed several analyses of the source code of\nthe Web pages in the sample. This testing was performed to provide assurance that ED was not\nmaking use of Web Bugs, hidden forms, client side scripts, links to anonymous File Transfer\nProtocol (FTP) servers, or other means to collect personally identifiable information from\nInternet sites without a user\xe2\x80\x99s direct participation and knowledge. The results of our testing\ndisclosed nine pages where ED used links to anonymous FTP servers.\n\n  \xe2\x80\xa2   Five pages were on a site used by ED employees to read their government email over the\n      public Internet.\n\n  \xe2\x80\xa2   Four pages were on a site used to obtain technical reference documents related to Student\n      Financial Assistance (SFA).\n\nWeb browsers have a built-in function that passes the user\xe2\x80\x99s email address to anonymous FTP\nservers when files are downloaded. Typical Internet users are often not aware that this type of\npersonally identifiable information is being provided to the server. Our discussions with ED\npersonnel responsible for managing ED\xe2\x80\x99s Internet sites indicated that they did not know that they\nwere still running anonymous FTP servers.\n\nRecommendations:\n\nThe Chief Information Officer should:\n\n3.1. Determine if there is still adequate justification for maintaining anonymous FTP servers. If\n     there is such a need, provide adequate disclosure to users that their email address may be\n     collected using the server and how ED will use the email addresses collected.\n\n3.2. Develop and implement procedures to identify and prevent Web Bugs, hidden forms,\n     embedded client side scripts, links to anonymous FTP servers, or other means to collect\n     personally identifiable information from Internet sites without a user\xe2\x80\x99s direct knowledge.\n\n\n\n                                        ED-OIG/A11-B0002\n\x0c                                                                                        Page 7 of 10\n\n\n\n\nAuditee\'s Response and Auditor Comments\n\nWe received and reviewed your comments dated February 15, 2001. In your response, you state\nthat the Office of the Chief Information Officer (OCIO) concurs with the basic findings of our\ndraft audit report and that the report was complete and well done. Your response, which is\nincluded as Attachment 3 to this report, also contained observations and corrective actions\ncompleted and planned. In general, we find the draft report responses satisfactory to begin\naddressing our recommendations. The following paragraphs are additional comments that we\nhave to specific statements in your response.\n\nYour response states that the four persistent cookies we identified have been removed and that\neasitest.ed.gov has been removed from service. As of February 16, we found that the\neasitest.ed.gov server was still accessible and that the students.gov server was still attaching a\npersistent cookie. Other than testing for the removal of persistent cookies on these four servers,\nwe have not taken steps to confirm that your stated completed actions were implemented.\n\nYour response also states that SFA officials "disagree with the interpretation of what constitutes\na site of interest" in reference to the additional sites or pages that we found as collecting\npersonally identifiable information in Attachment 1 of this report. We used OMB Memorandum\n99-18 Attachment as our criteria for information on what constitutes personally identifiable\ninformation. This memorandum includes email addresses as personally identifiable information.\nAlthough SFA officials disagreed with this interpretation, they agreed to modify the sites we\nidentified to ensure that privacy policy notices are provided.\n\nAdditionally, your response included a clarification provided by the National Center for\nEducation Statistics (NCES) officials concerning NCES Web pages identified in Attachment 1.\nWe have updated Attachment 1 to include the NCES pages specified and noted that these pages\nhave privacy policy notices.\n\n\n                                          BACKGROUND\n\nED uses a decentralized approach for ensuring that ED Internet sites and Web pages comply with\nlaws, memoranda, and policies and procedures. Each Principal Office within ED is responsible\nfor its respective Internet sites and Web pages and the content on the sites and pages. ED\'s\nInternet Working Group has a representative from each ED Principal Office. It is chaired by the\nOCIO. These members are involved in development efforts for their respective Principal\nOffices. All of ED, including SFA, are required to follow World Wide Web Server Policy and\nProcedures (June 1999) issued by OCIO.\n\n\n\n\n                                        ED-OIG/A11-B0002\n\x0c                                                                                            Page 8 of 10\n\n\n\n\n                    AUDIT OBJECTIVES, SCOPE AND METHODOLOGY\n\nAudit Objectives\n\nThe objectives of our audit were to report to Congress any activity of ED relating to:\n\n(1) the collection or review of singular data, or the creation of aggregate lists that include\n    personally identifiable information about individuals who access any Internet site of ED;\n    and\n\n(2)    agreements with third parties to collect, review, or obtain aggregate lists or singular data\n       containing personally identifiable information relating to any individual\'s access or viewing\n       habits for government and non-governmental Internet sites.\n\nScope and Methodology\n\nTo fulfill these objectives, our audit focused on disclosing any activities that collect personally\nidentifiable information through the Internet and disclosing agreements with third parties to\ncollect personally identifiable information relating to any individual\xe2\x80\x99s access or viewing habits\non ED or non-governmental Internet sites. For the activities that collect personally identifiable\ninformation, we tested to determine whether or not these activities had required privacy policy\nnotices. We also tested our sample for the existence of persistent cookies and the use of Web\nbugs, hidden forms, embedded client-side scripts, links to anonymous FTP servers, or other\nmeans for Internet sites to collect personally identifiable information without a user\xe2\x80\x99s direct\nparticipation.\n\nWe interviewed officials from ED\'s OCIO and from the three offices responsible for the Internet\nsites or Web pages that assigned persistent cookies, specifically officials from SFA, Office of the\nChief Financial Officer, and NCES.\n\nOur audit included ED Internet servers, sites, and Web pages that were on-line as of January 26,\n2001. Because ED continuously updates its Internet servers, sites, and Web pages, some of the\ninformation that we included in our review may not be currently available.\n\nWe used Internet search engines to identify web pages for each of the 111 Internet sites in our\nsample. We selected a sample of Web pages to review. When the site had fewer than 100 pages,\nwe reviewed all of the pages. For sites having 100-199 pages, we reviewed the first 100. For\nsites having greater than 200 pages, we randomly sampled 100 pages.\n\nWe analyzed:\n\n\xe2\x80\xa2     4,056 Web pages or approximately 1 percent of the total number of ED\xe2\x80\x99s Web pages;\n\xe2\x80\xa2     64 ED Internet servers (100 percent of ED Internet servers available);\n\xe2\x80\xa2     111 ED Internet sites (100 percent of ED Internet sites available); and\n\xe2\x80\xa2     54 activities that collect personally identifiable information through ED Internet sites.\n\n\n\n\n                                           ED-OIG/A11-B0002\n\x0c                                                                                        Page 9 of 10\n\n\n\n\nTo perform our analysis, we used a software package to test ED\xe2\x80\x99s Internet servers for the use of\npersistent cookies. All other analysis was done by our auditors accessing ED Internet servers,\nsites, and Web pages; by reviewing ED documents; and by interviewing ED officials.\n\nWe performed our audit work at ED between December 8, 2000, and February 6, 2001. Our\naudit was performed in accordance with Government Auditing Standards appropriate to the\nscope of the review.\n\n                       STATEMENT ON MANAGEMENT CONTROLS\n\nAs part of our audit, we assessed the system of management controls, policies, procedures, and\npractices applicable to our objectives. These included controls over the operation of ED\'s\nInternet sites. Because of inherent limitations, a study and evaluation made for the limited\npurposes of disclosing any ED activities that collect personally identifiable information through\nthe Internet and disclosing ED agreements with third parties to collect personally identifiable\ninformation relating to any individual\xe2\x80\x99s access or viewing habits on ED or non-governmental\nInternet sites would not necessarily disclose all material weaknesses in management controls.\nHowever, our assessment identified management control weaknesses as discussed in the audit\nresults section of this report.\n\n                               ADMINISTRATIVE MATTERS\n\nPlease provide us with your final response to each open recommendation within 60 days of the\ndate of this report indicating what corrective actions you have taken or plan to take and the\nrelated milestones.\n\nIn accordance with OMB Circular A-50, we will keep this audit report on the Office of Inspector\nGeneral (OIG) list of unresolved audits until all open issues have been resolved. Any reports\nunresolved after 180 days from the date of issuance will be shown as overdue in the OIG\xe2\x80\x99s\nSemiannual Report to Congress.\n\nAccordingly, please provide the Supervisor, Post Audit Group, Financial Improvement and Post\nAudit Operations, OCIO and OIG\xe2\x80\x99s Assistant Inspector General for Audit Services with\nsemiannual status reports. These reports should address promised corrective actions until all\nsuch actions have been completed or continued follow-up is unnecessary.\n\nIn accordance with the Freedom of Information Act (Public Law 90-23), reports issued by OIG\nare available, if requested, to members of the press and general public to the extent information\ncontained therein is not subject to exemptions in the Act.\n\nWe appreciate the cooperation given during the audit. If you have any questions or wish to\ndiscuss the contents of this report, please call Jack Rouch, Director, Systems Internal Audit\nTeam on 202-260-3878. Please refer to the control number in all correspondence relating to this\nreport.\n\nAttachments\n\n\n\n                                        ED-OIG/A11-B0002\n\x0c                                           ED ACTIVITIES                             Page 1 of 2\n                                                                              ATTACHMENT 1\n\n                                                  PERSONALLY IDENTIFIABLE   PRIVACY POLICY\n                                                  INFORMATION COLLECTED?      PROVIDED?\n#    ED IDENTIFIED ACTIVITY                           NO         YES         NO       YES\n     www.ed.gov\n 1    /comments/national/forum/question.html                      1          1\n 2    /comments/nationalforum97/index.html                        1                    1\n 3    /comments/problemform/ProblemForm.html                      1                    1\n 4    /comments/TeachLeader/index.html                            1                    1\n 5    /Family/agbts/tellus.html                                   1          1\n 6    /Family/agbts_old/agbts98/form.html                         1          1\n 7    /Family/agbts_old/tellus.html                               1          1\n 8    /G2K/community/subscribe.html                               1          1\n 9    /inits/americareads/fwsform.html                            1          1\n10    /inits/americareads/pcform.html                             1          1\n11    /inits/Millennium/jazzreg.html                              1          1\n12    /offices/OESE/REA/application.html                          1          1\n13    /offices/OESE/t1.html                                       1          1\n14    /offices/OIG/feedback.htm                                   1          1\n15    /offices/OIG/hotlineform.htm                                1          1\n16    /offices/OLCA/olcaform.html                                 1          1\n17    /offices/OPE/News/collegeweek/                              1                    1\n         ncwparticipate.html\n18    /offices/OPE/thinkcollege/comment.html                      1          1\n19    /offices/OPE/thinkcollege/early/about_us/                   1          1\n         comment.html\n20    /offices/OUS/chip/pledge.html                               1          1\n21    /offices/OUS/PES/NAVE/feedback.html                         1                    1\n22    /Programs/EROD/EROD_collect.html                            1          1\n23    /pubs/CompactforReading/survey.html                         1          1\n     NCES\n24   National Postsecondary Aid Study                             1          1\n     NPSAS WEB (http://npsas.rti.org/)\n25   http://nces.ed.gov/newsflash/                                1                    1\n26   National Assessment of Educational                           1                    1\n        Progress (NAEP) Questionnaire\n27   NAEP\'s My School                                             1                    1\n     http://nces.ed.gov/naep/myschool\n28   NAEP Network                                                 1                    1\n     List of state testing directors & NAEP\n     coordinators.\n29   surveys.nces.ed.gov/ipeds/                                   1                    1\n30   surveys.nces.ed.gov/library/als/                             1                    1\n31   surveys.nces.ed.gov/library/stla/                            1                    1\n32   Partnership for Family Involvement in                        1          1\n       Education Registration Form\n     http://pfie.ed.gov "How to Join" link\n33   STW.ed.gov\n     Website Comments & Suggestions\n     stw.ed.gov/Database/comments.htm                             1          1\n\n\n\n                                            ED-OIG/A11-B0002\n\x0c                                                ED ACTIVITIES                                         Page 2 of 2\n                                                                                                ATTACHMENT 1\n34 Examples that work suggestion box                                         1                 1\n   www.stw.ed.gov/EXP_WORK.CFM\n35 STW Listserv                                                              1                 1\n   www.stw.ed.gov/list2.htm\n36 e-application                                                             1                 1\n   e-grants.ed.gov/e-App/eaHome.asp\n37 http://registerevent.ed.gov/                                              1                 1\n   Teleconferences Registration Web Site\n38 ifap.ed.gov "Members Services"                                           1                  1\n39 edwebenroll.ed. or sfawebenroll.ed.gov                                   1                           1\n40 fafsa.ed.gov                                                             1                           1\n41 www.pellgrantsonline.ed.gov                                              1                           1\n42 www.loanconsolidation.ed.gov                                             1                           1\n43 www.dlservicer.ed.gov                                                    1                  1\n44 edeworkshop.walcoff.com/secure/main.htm                                  1                  1\n45 www.ed.gov/DirectLoan/consolid2.html                                     1                  1\n46 pin.ed.gov or eac.ed.gov                                                 1                          1\n   TOTALS                                                   0               46                 29      17\n\n     In addition to the sites identified by ED, we found 8 additional sites that collect personally\n     identifiable information.\n\n47 www.nslds.ed.gov                                                          1                 1\n48 www.afterschool.ed.gov                                                    1                          1\n49 webx.ed.gov                                                               1                          1\n50 test.ifap.ed.gov                                                          1                          1\n51 sfablueprint.ed.gov / www.sfablueprint.ed.                                1                 1\n      gov/sfa-vfa.ed.gov\n52 ombudsman.ed.gov / www.ombudsman.ed.                                      1                          1\n       gov/sfahelp.ed.gov\n53 students.gov/www.students.gov                                             1                          1\n54 nle2.ed.gov                                                               1                 1\n   TOTALS                                                   0                8                 3        5\n\n     GRAND TOTALS                                           0               54                 32      22\n\n\n\n\n                                                 ED-OIG/A11-B0002\n\x0c                                                                                 Page 1of 2\n\n\n                                                                            Attachment 2\n                                      GLOSSARY\n\n1. Browser: An application program that provides a way to look at and interact with\n   information on the World Wide Web.\n\n2. Client: The requesting program or user in a client/server relationship. For example,\n   the user of a Web browser is effectively making client requests for pages from servers\n   all over the Web. The browser itself is a client in its relationship with the computer\n   that is getting and returning the requested HTML file. The computer handling the\n   request and sending back the HTML file is a server.\n\n3. Cookie: Information that a Web site puts on the user\'s computer hard disk so that it\n   can remember something about the client at a later time. (More technically, it is\n   information for future use that is stored by the server on the client side of a\n   client/server communication.) Typically, a cookie records the user\'s preferences\n   when using a particular site. Using the Web\'s Hypertext Transfer Protocol (HTTP),\n   each request for a Web page is independent of all other requests. For this reason, the\n   Web server has no memory of what pages it has sent to a user previously or anything\n   about the previous visits. A cookie is a mechanism that allows the server to store its\n   own information about a user on the user\'s own computer.\n\n    \xe2\x80\xa2   Persistent Cookie: A cookie with a set expiration date that can be used to track\n        the activities of the user over time. It may store the user\'s log-in information\n        including password and email address used by the user to access an Internet site.\n\n    \xe2\x80\xa2   Session Cookie: A cookie used to retain and correlate information about a user\n        during a single session. It expires when the user ends the browser session.\n\n4. FTP: File Transfer Protocol, a standard Internet protocol that is the simplest way to\n   exchange files between computers on the Internet.\n\n    \xe2\x80\xa2   Anonymous FTP: A method for giving users access to files so that they do not\n        need to identify themselves to the server.\n\n5. Hypertext: The organization of information units into connected associations that a\n   user can choose to make. An instance of such an association is called a link or\n   hyperlink.\n\n6. Internet Server: In general, a computer program that provides services to other\n   computer programs in the same or other computers. A computer that holds the files\n   for one or more sites.\n\n7. Internet site: A collection of Web pages on a particular subject that can be accessed.\n\n\n\n\n                                    ED-OIG/A11-B0002\n\x0c                                                                                   Page 2of 2\n\n\n 8. Link: Using hypertext, a link is a selectable connection from one word, picture, or\n    information object to another.\n\n 9. Personally Identifiable Information: Name, email address, Social Security number, or\n    other unique identifier.\n\n10.   Web bug: A file object, usually an image file that is placed on a Web page or in an\n      email message to monitor user behavior, functioning as a kind of spyware. Unlike a\n      cookie, which can be accepted or declined by a browser user, a Web bug arrives as\n      just another image on the Web page. A Web bug is typically invisible to the user\n      because it is transparent (matches the color of the page background) and takes up only\n      a tiny amount of space. It can usually only be detected if the user looks at the source\n      version of the page to find an image that loads from a different Web server than the\n      rest of the page.\n\n11. Web page: On the World Wide Web, a page is a file notated with the Hypertext\n    Markup Language (HTML). Usually, it contains text and specifications about where\n    image or other multimedia files are to be placed when the page is displayed.\n\n\n\n\n                                      ED-OIG/A11-B0002\n\x0c\x0c                                                                                   Attachment 3\n\n\n      contractor inadvertently implemented persistent cookies by failing to modify default\n      ColdFusion settings. Cookies have been removed from all but one of the\n      approximately 15 ColdFusion applications. The remaining application will be\n      converted within the next two weeks to use server-side session variables instead of\n      cookies.\n\n      students.gov This was an anomaly. We believe that it was built on with old\n      ColdFusion software. The cookie has been removed.\n\n      OCIO procedures will be modified to include cookie tests as part of acceptance\n      testing checklist for future new applications and for modifications to ensure\n      compliance. See responses 1.3 below.\n\n1.3   Revise existing procedures to require principal office officials to review servers,\n      sites and Web pages in advance to determine that unnecessary persistent cookies\n      are not used.\n\n      OCIO will revise its web policies and procedures to require that all new applications\n      and web page adds/changes must be reviewed for use of cookies and collection of\n      individually identifiable information. Principal Offices other than SFA and NCES are\n      not well-staffed or well-prepared to do this kind of review. Most of them don\'t do the\n      basics like making sure their links work or their pages are accessible. For\n      www.ed.gov, to ensure compliance, we\'ll need to do that in the Web Services Group\n      (WSG) and contractor review of materials before they\'re posted to the live site. OCIO\n      will require that the Web Services Group staff and Internet Application Support\n      contract staff -the last two steps in the standard web posting workflow for ed.gov -\n      consistently conduct such review on all postings. Principal Offices\' editors will be\n      made aware of the new policies and procedures via the Internet Working Group\n      (IWG). OCIO procedures will require cookie tests as part of the acceptance testing\n      checklist for future new applications and modifications to ensure compliance.\n\n1.4   Develop and implement procedures to periodically review all servers, sites, and Web\n      pages to identify existing cookies and to determine that applicable legal and\n      regulatory requirements have been met for their use.\n\n       OCIO\'s initial research within this short comment period has not uncovered any\n       automated tools for this purpose. Without automated tools, it would be excessively\n       burdensome to manually check each of the more than 50,000 web pages on\n       ed.gov on a periodic basis. OCIO proposes instead to:\n\n                   Scan the site thoroughly once to ensure a clean baseline, using\n                   manual methods and concentrating on those items most likely to\n                   harbor cookies and collection of individually identifiable information,\n                   i.e., database applications, web discussion forums, CGI scripts, and\n                   embedded Javascript. Closely inspect future applications and web\n                   pages adds/changes to ensure continuing compliance.\n\n1.5    Develop and implement procedures to remove obsolete servers, sites, and Web\n       pages.\n\x0c                                                                                      Attachment 3\n\n\n\n      The ED Web redesign that is currently underway will institute a metadata schema\n      that will include Archive/Update Action, Archive/Update Date, and Records\n      Management elements to help identify web pages that need to be archived or\n      removed. However, until the National Archives and Records Administration (NARA)\n      issues clear guidance for web page retention schedules, there will continue to be\n      uncertainty among Principal Office editors about whether to retain or remove aging\n      pages.\n\nFinding 2. ED Needs to Ensure Privacy Policy Notices Are Provided.\n\n2.1    Identify all major entry points to ED\'s Internet information as well as any web\n       pages where ED collects personal information from the public. Once all of these\n       locations are identified, ED needs to create privacy policy notices or obvious links\n       to privacy policy notices as required by OMB.\n\n       Twelve of the top twenty entry points, and eight of the top ten entry points, (based\n       on January 2001 WebTrends reports) now link to ED\'s general privacy policy\n       notice. Links will be added to the remaining eight entry points within the two next\n       weeks.\n\n       In the absence of automated tools, OCIO will use manual methods and available\n       aids such as the Inktomi site search engine and LinkScan link checking/site analysis\n       software to help identify pages that are likely to collect personal information, e.g., all\n       database applications, web discussion forums, CGI scripts, pages containing the\n       words "last name," "first name," "email address," or "phone number". OCIO will\n       conduct a one-time scan and cleanup to establish a clean baseline.\n\n2.2    Develop and implement management controls designed to ensure that privacy\n       policy notices are located on needed entry points and Web pages of both existing\n       and future sites.\n       See response to 1.4.\n\nFinding 3. ED Should Monitor Methods for Collecting Personally Identifiable\nInformation.\n\n\n        Determine if there is still adequate justification for maintaining anonymous FTP\n        servers. If there is such a need, adequate disclosure should be provided to users\n        that their email address may be collected using the server and how ED will use the\n        email addresses collected.\n\n        The anonymous FTP service on emai102.ed.gov has been shut down by disabling\n        anonymous access on emai102.ed.gov and by blocking FTP access to emai102\n        through the ED firewall.\n\n        Web Bugs, that is hidden forms, controls, links to anonymous FTP sites: Our\n        Standard Operating Procedures includes a review of content and imbedded\n        controls before any pages are posted to the ed.gov sites. In addition, ed.gov is\n        managed by the TeamSite application which continually compares production\n\n\n\n                                                 3\n\x0c                                                                                    Attachment 3\n\n\n       content to backup copies and overwrites any unauthorized changes to production\n       content. This has the effect of removing any malicious Web Bugs.\n\n3.2    Develop and implement procedures to identify and prevent Web Bugs, hidden\n       forms, embedded client side scripts, links to anonymous FTP servers, or other\n       means to collect personally identifiable information from Internet sites without a\n       user\'s direct participation and knowledge.\n       To test our sites, the IG used a browser that they were able to control from a\n       script. They brought up each page on their list, looking for cookies before and\n       after the page was visited, and noted any cookies that were left on the client after\n       visiting a page. This is a tedious resource consuming process.\n       A primary concern is the resources that would be required to review the amount\n       of content that is updated daily. We will evaluate alternative solutions but have\n       reservations about using the sitemap-driven automated testing procedure since\n       ed.gov contains more than 50,000 individual pages which would probably put a\n       serious strain on both the server and client if a script ran each page through a\n       browser. The procedures would require manual attention to each step in the\n       process unless the page that produced each cookie were automatically logged.\n       We are looking at the upcoming release of the LinkScan link-checking tool we\n       already use to check the site each night to see whether it can be used in a more\n       efficient way to do the same job.\n       See also the responses to 1.4 and 2.1.\n\nAttachment I. ED Activities. The following comments apply to the sites listed in\nAttachment I.\n\nFrom SFA: Of the eight sites identified as "found" by the IG, five are SFA sites. The wording\nin the report suggests that SFA failed to identify these sites as collecting personal data. In\nfact, we disagree with the interpretation of what constitutes a site of interest. These sites\nhave in common an HTML "e-mail" page for reporting problems, or requesting more\ninformation, into which the user types his/her email address. Since we do not maintain this\ninformation in any sort of information store, the site managers apparently believed they were\nnot "collecting personal information." However, it is SFA policy to provide reminders and\nassurances of privacy protection wherever there is even the possibility of a question, so we\nwill modify these sites accordingly.\n\nFrom NCES: Item 29 of attachment 1 of the draft audit report is incorrect. The link\nindicated, ed.gov/surveys/, is an asp page that contains an overview of the various\nsurveys conducted by NCES. It does not collect any personally identifiable information.\nOur surveys are collected online at the following URLs:\n         IPEDS:                          <hftp://surveys.nces.ed.gov/ipeds/>\n         Academic Libraries:             <hftp://surveys.nces.ed.qov/library/aIs/>\n         State Library Agencies:         <hftp://surveys.nces.ed.gov/1ibrary/stla/>\nThese sites do collect personally identifiable information. Each of these URLs is an\nintroductory page describing the survey - complete with the OMB clearance number.\nEach page contains a privacy policy synopsis describing the site\'s use of cookies as well\nas a link to the full NCES privacy policy.\n\n\n\n                                                4\n                                         Amended 02/15/01\n\x0c                                                                                              Attachment 3\n\n\n\nFrom OCIO: Twenty-four of the items listed as lacking the required privacy policy links\n(all items identified on www.ed.gov, pfie.ed.gov, and stw.ed.gov) have been fixed:\nD 16 items were corrected by adding the required link to the general ED privacy policy\n      statement and/or adding language specific to the page: #s 1, 5, 8, 9, 10, 14, 15, 16,\n      18, 19, 22, 23, 30, 31, 32, 33\nD 6 items were obsolete and were deleted: #s 6 7 11 12 13 20\n\n\n\n\n                                                     5\n                                               Amended 02/15/01\n\x0c'